Uploaded image for project: 'ui-eholdings'
  1. ui-eholdings
  2. UIEH-1130

underscore arbitrary code execution (CVE-2021-23358)

    XMLWordPrintable

Details

    • Spitfire

    Description

      Overview:

      ui-eholdings has a dependency on vulnerable underscore but is not affected.

      Steps to Reproduce:

      https://github.com/advisories/GHSA-cf4h-3jhx-xvhq

      reports that FOLIO ships with a vulnerable version of underscore.

      All underscore versions from 1.3.2 to 1.12.0 are affected because they contain an Arbitrary Code Execution via the template function: https://nvd.nist.gov/vuln/detail/CVE-2021-23358

      Running yarn why underscore against platform-complete yields

      => Found "underscore@1.4.4"
info Reasons this module exists
   - "@folio#eholdings#impagination#binary-search-tree" depends on it

      However, binary-search-tree doesn't use underscore: https://github.com/louischatriot/node-binary-search-tree/pull/16

      Therefore FOLIO is not affected by this vulnerability.

       

      TestRail: Results

        Attachments

          Issue Links

            relates to

            Tech Debt - UIEH-1131 impagination is not production ready

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Activity

              People

                Unassigned Unassigned
                julianladisch Julian Ladisch
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases